Vulnerability Allows Hackers to Remotely Control Train Brakes

Vulnerabilities in Train Brake Systems

Many trains in the U.S. face a serious security vulnerability that allows hackers to remotely engage the brakes. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged this issue, which could have catastrophic effects on passenger safety and freight operations. The flaw, tracked as CVE-2025-1727, has been known for over a decade but has only recently come to light due to increased scrutiny.

Independent researcher Neil Smith discovered this vulnerability in 2012. It stems from a weak authentication protocol used in the communication link between End-of-Train (EoT) and Head-of-Train (HoT) devices, primarily utilizing a simple BCH checksum for validation. This outdated security protocol enables attackers to craft malicious brake commands using software-defined radio equipment that costs less than $500.

Smith stated, “All of the knowledge to generate the exploit already exists on the internet. AI could even build it for you.” The physical proximity required for exploitation limits remote hacks but still poses a significant threat to operational safety.

Major EoT/HoT Vulnerability

The Association of American Railroads (AAR) has acknowledged the need to replace the insecure EoT and HoT protocols that link locomotives to the EoT devices, commonly known as “FREDs” (Flashing Rear End Devices). This decision comes more than 12 years after the issue was initially reported. The EoT devices collect telemetry and can receive commands from conductors, including the ability to apply brakes from the back of the train.

Image courtesy of Risky Business

Smith’s initial report to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) did not lead to immediate action from the AAR, which downplayed the threat. Smith’s persistence, alongside the independent discovery of the same issue by another security researcher, Eric Reuter, eventually led to renewed attention on the vulnerability.

The AAR is set to replace the old protocol with the IEEE 802.16t Direct Peer-to-Peer (DPP) protocol, which promises better security and lower latency. However, this transition will involve replacing over 75,000 EoT devices across North America, a task expected to take 5-7 years and cost between $7-10 billion.

Exploitation Risks

The implications of this vulnerability are severe. Hackers could potentially disrupt rail operations by triggering emergency brakes remotely, leading to passenger injuries, derailments, and widespread transportation disruptions. CISA's advisory emphasizes that successful exploitation could allow attackers to send unauthorized brake control commands to the EoT devices.

Image courtesy of Security Affairs

Despite the risks, there have been no reported active exploitations so far. Smith warns against testing these vulnerabilities, citing the severe potential consequences, including loss of life. The delay in addressing this issue raises questions about industry accountability in safeguarding critical infrastructure.

Conclusion

The vulnerabilities in the train brake systems highlight significant gaps in cybersecurity within the railway industry. The lack of action over the years and the eventual acknowledgment of the issue underscore the need for urgent remediation. The transition to more secure protocols cannot come soon enough, as the current systems remain susceptible to exploitation.

For those interested in ensuring the safety of their operations or looking for advanced cybersecurity solutions, Gopher Security offers a range of services that can help mitigate these risks.